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CLAIMS 



1 LA method for creating and maintaining a plurality of virtual servers within a server, 

2 the method comprising the steps of: 

3 partitioning resources of the server to establish an instance of each virtual server; 

4 and 

5 enabling controlled access to the resources using logical boundary checks and se- 

6 curity interpretations of those resources within the server. 

1 2. The method of Claim 1 wherein the step of partitioning comprises the steps of: 

2 allocating dedicated resources of the server to each instance of the virtual server; 

3 and 

4 sharing common resources of the server among all of the virtual servers. 

1 3. The method of Claim 2 wherein the dedicated resources are units of storage and net- 

2 work addresses of network interfaces of the server. 

1 4. The method of Claim 3 wherein the common resources are an operating system and a 

2 file system of the server. 



1 5. The method of Claim 4 wherein the server is a filer and wherein the virtual servers are 

2 virtual filers (vfilers). 



1 6. The method of Claim 5 wherein the step of enabling comprises the step of providing a 

2 vfiler context structure including information pertaining to a security domain of the 

3 vfiler. 



1 7. The method of Claim 6 wherein the step of allocating comprises the step of providing 

2 a vfstore list of the vfiler context structure, the vstore list comprising pointers to vfstore 
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soft objects, each having a pointer that references a path to a unit of storage allocated to 
the vfiler. 

8. The method of Claim 7 wherein the step of allocating further comprises the step of 
providing a vfnet list of the vfiler context structure, the vfhet list comprising pointers to 
vfhet soft objects, each having a pointer that references an interface address data structure 
representing a network address assigned to the vfiler. 

9. The method of Claim 8 wherein the step of enabling further comprises the step of per- 
forming a vfiler boundary check to verify that a vfiler is allowed to access certain storage 
resources of the filer. 

10. The method of Claim 9 wherein the step of performing comprises the step of validat- 
ing a file system identifier and qtree identifier associated with the units of storage. 

1 1 . The method of Claim 10 wherein the step of performing further comprises the steps 
of: 

for each request to access a unit of storage, using the identifiers to determine 
whether the vfiler is authorized to access the unit of storage; 

if the vfiler is not authorized to access the requested unit of storage, immediately 
denying the request; 

otherwise, allowing the request; and 

generating file system operations to process the request. 

12. A system adapted to create and maintain a plurality of virtual servers within a server, 
the system comprising: 

storage media configured to store information as units of storage resources, the 
units of storage resources allocated among each of the virtual servers; 

network interfaces assigned one or more network address resources, the network 
address resources allocated among each of the virtual servers; 
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7 an operating system having a file system resource adapted to perform a boundary 

8 check to verify that a request is allowed to access to certain units of storage resources on 

9 the storage media, each virtual server allowed shared access to the file system; and 

10 a processing element coupled to the network interfaces and storage media, and 

i i configured to execute the operating and file systems to thereby invoke network and stor- 

12 age access operations in accordance with results of the boundary check of the file system. 

1 13. The system of Claim 12 further comprising a context data structure provided to each 

2 virtual server, the context data structure including information pertaining to a security 

3 domain of the virtual server that enforces controlled access to the allocated and shared 

4 resources. 

1 14. The system of Claim 13 wherein the units of storage resources are volumes and 

2 qtrees. 

1 15. The system of Claim 14 further comprising a plurality of table data structures ac- 

2 cessed by the processing element to implement the boundary check, the table data struc- 

3 tures including a first table having a plurality of first entries, each associated with a vir- 

4 tual server and accessed by a file system identifier (fsid) functioning as a first key into the 

5 table, each first entry of the first table denoting a virtual server that completely owns a 

6 volume identified by the fsid. 

1 1 6. The system of Claim 1 5 wherein the table data structures further include a second ta- 

2 ble having a plurality of second entries, each associated with a virtual server and accessed 

3 by a second key consisting of an fsid and a qtree identifier (qtreeid), each second entry of 

4 the second table denoting a virtual server that completely owns a qtree identified by the 

5 fsid and qtreeid. 

1 17. The system of Claim 1 6 wherein the server is a filer and wherein the virtual servers 

2 are virtual filers. 
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1 8. Apparatus adapted to create and maintain a plurality of virtual filers (vfilers) within 
a filer, the apparatus comprising: 

means for allocating dedicated resources of the filer to each vfiler; 
means for sharing common resources of the filer among all of the vfilers; and 
means for enabling controlled access to the dedicated and shared resources using 
logical boundary checks and security interpretations of those resources within the server. 

19. The apparatus of Claim 18 wherein the means for enabling comprises means for per- 
forming a vfiler boundary check to verify that a vfiler is allowed to access certain dedi- 
cated resources of the filer. 

20. The apparatus of Claim 18 wherein the means for enabling comprises means for pro- 
viding a vfiler context structure including information pertaining to a security domain of 
the vfiler. 

21. A computer readable medium containing executable program instructions for creat- 
ing and maintaining a plurality of virtual filers (vfilers) within a filer, the executable pro- 
gram instructions comprising program instructions for: 

allocating dedicated resources of the filer to each vfiler; 
sharing common resources of the filer among all of the vfilers; and 
enforcing access to the dedicated and shared resources using logical boundary 
checks and security interpretations of those resources within the server. 

22. The computer readable medium of Claim 21 wherein the program instruction for 
enabling comprises a program instruction for performing a vfiler boundary check to ver- 
ify that a vfiler is allowed to access certain dedicated resources of the filer. 

23. The computer readable medium of Claim 21 wherein the program instruction for 
enabling comprises a program instruction for providing a vfiler context structure includ- 
ing information pertaining to a security domain of the vfiler. 
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